Security Content Update Getting Started Guide (Version: CCS 12.x)

Similar documents
Security Content Update Getting Started Guide. Versions: CCS 11.1.x and CCS 11.5.x

Security Content Update Release Notes for CCS 12.x

Security Content Update Release Notes for CCS 12.x

Symantec Control Compliance Suite Express Security Content Update for Microsoft Windows Server 2008 R2 (CIS Benchmark 2.1.

Symantec Control Compliance Suite Express Security Content Update for JBoss Enterprise Application Platform 6.3. Release Notes

Patch Assessment Content Update Getting Started Guide for CCS 11.1.x and CCS 11.5.x

Symantec Ghost Solution Suite Web Console - Getting Started Guide

Patch Assessment Content Update Getting Started Guide for CCS 12.0

Security Content Update Release Notes for CCS 12.x

Symantec Patch Management Solution for Windows 8.5 powered by Altiris technology User Guide

Security Content Update Release Notes. Versions: CCS 11.1 and CCS 11.5

Security Content Update Release Notes. Versions: CCS 11.1.x and CCS 11.5.x

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark. For Red Hat Enterprise Linux 5

Symantec Enterprise Security Manager Baseline Policy Manual for Security Essentials. Solaris 10

Symantec Enterprise Security Manager Modules for Oracle Release Notes

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark. AIX 5.3 and 6.1

VeriSign Managed PKI for SSL and Symantec Protection Center Integration Guide

Symantec Workflow Solution 7.1 MP1 Installation and Configuration Guide

Veritas System Recovery 18 Management Solution Administrator's Guide

Veritas Desktop and Laptop Option Mac Getting Started Guide

Partner Information. Integration Overview. Remote Access Integration Architecture

Veritas Desktop Agent for Mac Getting Started Guide

Enterprise Vault.cloud CloudLink Google Account Synchronization Guide. CloudLink to 4.0.3

Symantec Managed PKI. Integration Guide for AirWatch MDM Solution

Creating New MACHINEGUID and Disk UUID Using the PGPWdeUpdateMachineUUID.exe Utility

Partner Information. Integration Overview Authentication Methods Supported

Security Content Update Release Notes for CCS Update

Symantec Protection Center Getting Started Guide. Version 2.0

Enterprise Vault Versions of FSA Agent and Enterprise Vault Reporting or later

NetBackup Copilot for Oracle Configuration Guide. Release 2.7.1

Veritas Backup Exec Migration Assistant

Veritas Desktop and Laptop Option 9.2

Veritas System Recovery 16 Management Solution Administrator's Guide

Veritas Desktop and Laptop Option 9.2. Disaster Recovery Scenarios

Symantec Control Compliance Suite Getting Started Guide. Version: 11.0

Altiris IT Analytics Solution 7.1 from Symantec User Guide

Cluster Server Generic Application Agent Configuration Guide - AIX, Linux, Solaris

Veritas Backup Exec Quick Installation Guide

Symantec Enterprise Security Manager IBM DB2 Modules User Guide for Windows and UNIX. Version 4.2

Symantec Enterprise Security Manager IBM DB2 Modules User Guide for Windows and UNIX. Version 4.6

Security Content Update Release Notes for CCS 11.1 and CCS Versions: CCS 11.1 and CCS 11.5

Veritas NetBackup Copilot for Oracle Configuration Guide. Release 2.7.2

Veritas Desktop and Laptop Option 9.1 Qualification Details with Cloud Service Providers (Microsoft Azure and Amazon Web Services)

Veritas NetBackup OpsCenter Reporting Guide. Release 8.0

Storage Foundation and High Availability Solutions HA and Disaster Recovery Solutions Guide for Microsoft SharePoint 2013

Symantec ServiceDesk 7.1 SP1 Implementation Guide

Altiris Software Management Solution 7.1 from Symantec User Guide

Veritas NetBackup for SQLite Administrator's Guide

Veritas NetBackup for Microsoft SQL Server Administrator's Guide

Veritas Enterprise Vault Setting up SharePoint Server Archiving 12.2

Symantec ediscovery Platform

Configuring Symantec Protection Engine for Network Attached Storage for Hitachi Unified and NAS Platforms

Veritas System Recovery 18 Linux Edition: Quick Installation Guide

Veritas Storage Foundation and High Availability Solutions HA and Disaster Recovery Solutions Guide for Microsoft SharePoint Server

Veritas SaaS Backup for Salesforce

Symantec Enterprise Vault

Symantec Endpoint Protection Integration Component User's Guide. Version 7.0

Veritas CommandCentral Enterprise Reporter Release Notes

Veritas Storage Foundation and High Availability Solutions Getting Started Guide

Veritas Cluster Server Library Management Pack Guide for Microsoft System Center Operations Manager 2007

Enterprise Vault Migrating Data Using the Microsoft Azure Blob Storage Migrator or later

Configuring Symantec. device

Veritas SaaS Backup for Office 365

Symantec Enterprise Vault Technical Note

Veritas Operations Manager Storage Insight Add-on for Deep Array Discovery and Mapping 4.0 User's Guide

Enterprise Vault Requesting and Applying an SSL Certificate and later

Veritas Access Enterprise Vault Solutions Guide

Security Content Update Release Notes for CCS Update

Veritas NetBackup for Lotus Notes Administrator's Guide

Symantec Cloud Workload Protection on AWS Marketplace. Buyer's Guide for Getting Started

NetBackup Self Service Release Notes

Veritas ediscovery Platform

Enterprise Vault Using SQL Database Roles in Enterprise Vault, Compliance Accelerator, and Discovery Accelerator

Veritas NetBackup Upgrade Quick Start Guide

Enterprise Vault Setting up Exchange Server and Office 365 for SMTP Archiving and later

Partner Management Console Administrator's Guide

Security Content Update Release Notes for CCS 11.1.x and CCS 11.5.x

Symantec Enterprise Vault Technical Note

Veritas NetBackup for Microsoft Exchange Server Administrator s Guide

Symantec Workflow 7.1 MP1 Release Notes

Veritas NetBackup Copilot for Oracle Configuration Guide. Release 3.1 and 3.1.1

Symantec Enterprise Vault

Symantec Validation & ID Protection Service. Integration Guide for Microsoft Outlook Web App

Veritas CloudPoint 1.0 Administrator's Guide

Symantec Enterprise Vault

IM: Symantec Security Information Manager Patch 4 Resolved Issues

Symantec NetBackup Vault Operator's Guide

Veritas Data Insight Software Compatibility List 6.1.1

Symantec NetBackup for Lotus Notes Administrator's Guide. Release 7.6

Enterprise Vault.cloud Journaling Guide

Veritas Desktop and Laptop Option 9.3 README

Altiris Client Management Suite 7.1 from Symantec User Guide

Veritas NetBackup Plug-in for VMware vsphere Web Client Guide. Release 8.1.1

Symantec Enterprise Security Manager JRE Vulnerability Fix Update Guide

Veritas Data Insight 6.1 Software Compatibility List 6.1

Veritas Storage Foundation and High Availability Solutions Getting Started Guide

Enterprise Vault.cloud Archive Migrator Guide. Archive Migrator versions 1.2 and 1.3

Veritas Enterprise Vault PST Migration 12.2

Symantec Data Center Security: Server, Monitoring Edition, and Server Advanced 6.7 MP3 Overview Guide

PGP NetShare FlexResponse Plug-In for Data Loss Prevention

Transcription:

Security Content Update Getting Started Guide (Version: CCS 12.x)

Security Content Update Getting Started Guide Documentation version: 1.0 Legal Notice Copyright 2018 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo and are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party ( Third Party Programs ). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Symantec as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation 350 Ellis Street Mountain View, CA 94043 https://www.symantec.com

Symantec Support All support services will be delivered in accordance with your support agreement and the then-current Enterprise Technical Support policy. Knowledge Base Articles and Symantec Connect Before you contact Technical Support, you can find free content in our online Knowledge Base, which includes troubleshooting articles, how-to articles, alerts, and product manuals. In the search box of the following URL, type the name of your product: https://support.symantec.com Access our blogs and online forums to engage with other customers, partners, and Symantec employees on a wide range of topics at the following URL: https://www.symantec.com/connect Technical Support and Enterprise Customer Support Symantec Support maintains support centers globally 24 hours a day, 7 days a week. Technical Support s primary role is to respond to specific queries about product features and functionality. Enterprise Customer Support assists with non-technical questions, such as license activation, software version upgrades, product access, and renewals. For Symantec Support terms, conditions, policies, and other support information, see: https://entced.symantec.com/default/ent/supportref To contact Symantec Support, see: https://support.symantec.com/en_us/contact-support.html

Contents Symantec Support... 4 Chapter 1 Introducing Security Content Update (SCU)... 9 About Security Content Updates... 9 Prerequisites... 9 Chapter 2 Installing Security Content Update... 11 Contents of SCU package... 11 SCU installers for CCS components... 13 Installing the Security Content Updates using LiveUpdate... 14 Installing new standard content using the LiveUpdate... 16 Installing the Security Content Updates manually... 17 Upgrading content on Agent-based target computers... 18 Chapter 3 Configuring Security Content Update Components... 20 Data collection support for Sybase databases installed on UNIX (RHEL-Intel and Solaris-Intel) platforms (SCU 2018-2)... 21 Prerequisites for data collection support for Sybase database... 21 Workflow for data collection for Sybase databases... 22 Entities that support data collection for Sybase databases... 25 Data collection support for Db2 databases (SCU 2018-1)... 25 Prerequisites for data collection support for Db2 databases... 26 Workflow for data collection for DB2 databases... 26 Entities that support data collection for DB2 databases... 28 Data collection support for MariaDB databases (SCU 2018-1)... 28 Prerequisites for data collection support for MariaDB database servers... 29 Workflow for data collection for MariaDB database servers... 29 Entities that support data collection for MariaDB database instances... 30 Domain cache file password reset tool (SCU 2018-1)... 31 Prerequisites for domain cache file password reset tool... 32

Contents 6 Scenarios considered in domain cache file reset tool... 32 Data collection support for Windows CIS standards without domain cache dependency (SCU 2018-1)... 33 Prerequisites for data collection support for Windows CIS standards without domain cache dependency... 35 Configuring parameters to disable domain cache creation... 35 Synchronizing configuration parameter changes with agent... 37 Data collection support for Amazon MySQL RDS instances (SCU 2018-1)... 38 Prerequisites for data collection support for Amazon MySQL RDS instances... 38 Workflow for data collection for Amazon MySQL RDS instances... 39 Adding Amazon MySQL RDS instances to Control Compliance Suite manually... 41 Data collection support for MySQL database installed on Windows and UNIX (Linux-Intel) platforms (SCU 2017-3)... 42 Prerequisites for data collection support for MySQL database... 43 Workflow for data collection for MySQL databases... 43 About checks in Section 5 of predefined MySQL standards... 47 Creating a check for custom standard for MySQL... 48 Entities that support MySQL data collection... 50 Supported fields for MySQL data collection on Windows and Linux-Intel platforms... 51 Blacklisting commands for data collection on Sybase, MySQL, MariaDB, and Db2 databases (Updated in SCU 2018-2)... 52 Oracle credential management in agent-based data collection (SCU 2017-3)... 55 About Oracle credential management... 55 Prerequisites for Oracle credential management... 55 About the ccsorasetup tool... 56 Configuring parameters for Oracle password management... 59 Command-based data collection support for UNIX platform... 66 About command-based data collection for UNIX... 66 Prerequisites for using command-based data collection for UNIX... 67 About whitelisting commands for Commands entity for UNIX... 67 Workflow for using Commands entity for UNIX... 68 Creating a standard for Commands entity for UNIX... 69 Creating a check for Commands entity for UNIX... 69

Contents 7 Adding a command to the check for Commands entity for UNIX... 71 Permissible command length for the Commands entity for UNIX... 72 Guidelines for using commands for UNIX... 73 Support for sudo feature... 73 Automated MS SQL password management in agent-based data collection... 75 Symantec guidelines for MS SQL Server password management... 76 Configuring parameters in ccssqlenv.dat file... 76 Configuring MS SQL credentials using CCSSQLSetup.exe... 79 Data collection support for Generic Devices... 82 Why Generic Devices data collector?... 83 Prerequisites... 83 Workflow of Generic Devices data collector... 84 About whitelisting of commands added to checks used in Generic Devices data collector... 84 Whitelisting commands for Generic Devices data collector... 86 Creating a standard and checks for Generic Devices data collector... 86 Using multiple commands for checks and standards for Generic Devices data collector... 90 Command standard errors for Generic Devices data collector on Junos OS and Cisco IOS... 90 Using Security Essentials for Junos OS 15.x Devices... 91 Script-based custom checks... 92 Creating script-based check... 95 About Script tab... 97 Agent-based Data collection support for File Watch entity for Windows and UNIX platforms... 102 About File Watch entity... 102 Supported fields for File Watch entity for Windows and UNIX platforms... 103 About input file for File Watch entity... 105 Changing the default size of File Watch input file... 109 About keywords file for File Watch entity... 110 Data collection support for agent-based Oracle assets... 110 Prerequisites for Oracle agent-based data collection support... 111 Minimum required privileges to query an Oracle database... 112 Importing Oracle database asset to CCS asset system... 116 Enhanced mechanism for Oracle asset import and asset update (SCU 2016-1)... 118

Contents 8 Removal of OCCI dependency in SCU 2015-3... 119 Support for OCCI package dependency in SCU 2015-2... 121 Data collection support for MS SQL cluster assets... 122 Support for agentless MS SQL cluster assets... 122 Support for agent-based MS SQL cluster assets... 124 Minimum privileges for SQL Server 2012 and 2014 Asset Import in Agent-based mode... 128 Cisco network device router data collection... 129 Minimum privileges for data collection on Cisco assets... 134 Prerequisites for Cisco router discovery... 136 Upgrading VMware data collection... 136 Upgrading CCS assets for Apache Tomcat Standard... 139 Creating firewall rules to enable remote querying of Windows Updates... 139 Upgrading Oracle Instant Client to 12.1... 141 Chapter 4 Troubleshooting... 144 Troubleshooting data collection for Sybase Server... 144 Troubleshooting Symantec CCS MS Windows data collection module issue during data collection for Amazon MySQL RDS instances... 147 Troubleshooting the CCS Manager upgrade... 147 Troubleshooting data collection for Processes datasource... 148 Troubleshooting timeout error on HP-UX server 11.31... 148 Troubleshooting ESXi related datasource error when an asset is scoped twice... 148 Troubleshooting LiveUpdate error during SCU installation... 149 Troubleshooting LiveUpdate error on Windows 2012 while downloading SCU... 149 Troubleshooting SSIS-related issue when a scheduled job starts in SQL Server 2008 R2 on a computer that is running Windows 7 or Windows Server 2008 R2... 150 Troubleshooting VMware ESXi Asset import failure when asset import job is scoped to a vcenter Server... 150 Chapter 5 Improving performance and scalability... 151 Performance, scalability, and reliability recommendations... 151

Chapter 1 Introducing Security Content Update (SCU) This chapter includes the following topics: About Security Content Updates Prerequisites About Security Content Updates Security Content Update (SCU) provides periodic security content updates for raw-data collection. SCU includes updates for the following: Raw-data content for agent-based and agentless data collection Support and enhancements for new platforms Raw-data content updates in the form of enhanced standards and checks For more information about configuring the Raw-data collection and Message based data collection, refer to the Symantec Control Compliance Suite Planning and Deployment Guide for 12.0. Prerequisites The following are the prerequisites to install a Security Content Update (SCU): Control Compliance Suite 12.0 or later versions Before you install a Security Content Update (SCU), you must have Control Compliance Suite 12.0 or later versions installed on your computer.

Introducing Security Content Update (SCU) Prerequisites 10 To use data collection support for MySQL, MySQL-RDS, MariaDB, and DB2 databases installed on Windows and UNIX platforms, you must upgrade to CCS 12.0.1 (Product Update 2018-1) To use data collection support for Sybase databases installed on RHEL-Intel and Solaris-Intel platforms, you must upgrade to CCS 12.0.1 (Product Update 2018-1) Quick Fix (QF) 10006 This QF is supported on CCS 12.0.0 If you have command based standards installed, and you want to upgrade to a newer SCU, you must apply this QF. For information on command based standards, see the Predefined Technical Standards page. You can download the installation package for the QF from the following location: http://www.symantec.com/docs/tech251635 Quick Fix (QF) 10126 This QF is supported on CCS 12.0.1 If you have command based standards installed, and you want to upgrade to a newer SCU, you must apply this QF. For information on command based standards, see the Predefined Technical Standards page. You can download the installation package for the QF from the following location: http://www.symantec.com/docs/tech251635

Chapter 2 Installing Security Content Update This chapter includes the following topics: Contents of SCU package SCU installers for CCS components Installing the Security Content Updates using LiveUpdate Installing the Security Content Updates manually Upgrading content on Agent-based target computers Contents of SCU package To install an SCU manually, you must download the Security Content Updates (SCU) package from the Security Content Updates page for Control Compliance Suite. You can automate the SCU installation by using the Live Update workspace. Note: Refer to the SCU_<version number>_release_notes to get detailed information about the updates released in the SCU. The following are the contents of the SCU package for manual installation:

Installing Security Content Update Contents of SCU package 12 Table 2-1 Contents of SCU package File name CCS_12_x_<version number>_scu_win.exe Description This is the main file that you download from the Security Content Updates page. Execute the file to extract the following contents of the package: CCS_12_x_APSCCSM_<version number>_scu_win.exe CCS_12_x_CCSM_<version number>_scu_win.exe 12.x_CCS.tpk files for respective platforms CCS_12_x_APSCCSM_<version number>_scu_win.exe Execute the.exe to install the SCU on the computer that has the Application Server and the CCS Manager installed. Execute the.exe to install the SCU on the computer that has the Directory Support Service and the CCS Manager installed. CCS_12_x_CCSM_<version number>_scu_win.exe Execute the.exe to install the SCU on the computer on which only the CCS Manager is installed. Note: If you have more than one CCS Managers in your deployment, then while applying SCU ensure that all the CCS Managers have the same version of SCU applied. 12.x_CCS.tpk Use the.tpk file of the respective platform to update the corresponding target computer. For example: Microsoft SQL UNIX Windows Oracle ESM.tpk Use the.tpk file of the respective platform to update the corresponding target computer. For example: Microsoft SQL

Installing Security Content Update SCU installers for CCS components 13 Table 2-1 File name Contents of SCU package (continued) Description SCU_<version number>_release_notes This document includes detailed information about the features and enhancements that are released and the details about the customer issues that are fixed in a particular SCU. You can also download this document from the Security Content Updates page. SCU_Getting_Started_Guide This user guide explains the SCU installation procedure and related configuration. You can also download this document from the Security Content Updates page. The following are the contents of the SCU package for LiveUpdate installation: CCS_12_x_<version number>_<build Number>_CCS_SCU This is the folder that is downloaded in the CCS staging area. This folder contains the following files for installing the SCU on the Application Server and the CCS Manager using LiveUpdate. CCS_12_x_APSCCSM_<version number>_scu_win.exe CCS_12_x_CCSM_<version number>_scu_win.exe update.manifest SCU_Getting_Started_Guide SCU_<version number>_release_notes 12.x_CCS.tpk SCU installers for CCS components The following installers are available in the SCU package. Use the relevant installers to upgrade the CCS components. Table 2-2 Component Upgrade installers for CCS components Required files Application Server or Application Server with CCS Manager CCS_12_x_APSCCSM_<version number>_scu_win.exe

Installing Security Content Update Installing the Security Content Updates using LiveUpdate 14 Table 2-2 Component CCS Manager Upgrade installers for CCS components (continued) Required files CCS_12_x_CCSM_<version number>_scu_win.exe Target computers for agent-based data collection Target computers for agentless data collection 12.x_CCS.tpk No separate updates are required. CCS Manager and Application Server updates upgrade the target computers for agentless data collection. Installing the Security Content Updates using LiveUpdate Symantec recommends that you install the SCU using the Automatic Updates Installation job on CCS Console. Before running the Automatic Updates Installation job, ensure that you download the SCU package to the computer using LiveUpdate. See About LiveUpdate workspace You can also install SCU manually on computers hosting the CCS components. To download all the available updates from the Live Update Server on the Application Server computer, run the Download Live Updates job. By default, the job is run once in every 24 hours, which is a recommended practice. See About Download Live Updates job See Working with Download Live Updates job After downloading, the SCU package must be copied and installed on the applicable CCS components using the Automatic Updates Installation job from the CCS Console. In the LiveUpdate workspace, the update name is displayed in the following format: CCS_12_x_<version number>_scu The SCU LiveUpdate package updates the following components: CCS Application Server CCS Manager Target computers for agentless data collection

Installing Security Content Update Installing the Security Content Updates using LiveUpdate 15 To copy and install updates on applicable CCS components 1 On the CCS console, hover over the Admin icon, and then click LiveUpdate. 2 From the Common Tasks list, click Deploy Updates. 3 In the Edit Automatic Updates Installation Job wizard, on the Job Details screen, click Next. 4 On the Specify Deployment Details screen, select the following options as required: Select Update Type to Deploy Select the updates that you want to install on CCS components. Select Deployment Mode Select either of or both the following options: Push After you select this option, the selected update packages are copied to the respective CCS components. Install After you select this option, the selected update packages are installed on the respective CCS components. Note: Installation of updates requires system downtime. Click Next. 5 On the Select Site Details screen, select the site to deploy the updates, and then click Next. See About using sites 6 On the Specify Install User screen, select the account that you want to use for deployment, and then click Next. The following account options are available: Use Service Account Use a service account to deploy updates. Select Install User Account Click the browse option to select a user account that is used for installing the product. 7 On the Schedule Job screen, you can choose to run the job immediately, or schedule the job run at a specified date and time. Click Next.

Installing Security Content Update Installing the Security Content Updates using LiveUpdate 16 8 In the Specify Notification Details screen, select the Send Notification box if you want to notify users about success or failure of the job run. Then enter the following details: From (Email ID) Type the sender's email ID. If you want to populate a common email ID in the From field, for all the jobs, specify the email ID in the Settings > Application Settings > System Configuration > Email Notifications. Recipients (Email IDs) Subject Message Provide a comma-separated list of email ID of the expected recipients of the notification email. Specify the subject of the email. Type the message text. 9 On the Summary page, click Finish. Note: Installation of the SCU 2015-1 or later is not supported on Windows 2003 Server. Installing new standard content using the LiveUpdate Any new standard content released in the Security Content Updates (SCU) must be installed using the Add/Remove Programs or Programs and Features window of the computer. The existing content is updated during the LiveUpdate installation. However, any new mandate or regulatory content released in the SCU can be installed as per the requirement. To install new standard content 1 In the Maintenance panel of the launched Symantec Control Compliance Suite 11.1 installation wizard, select Add/Upgrade, and then click Next. 2 The Add Components panel lists the components that are not installed on your computer. The next panel that appears is dependent on the component you select. Check the Technical Standards or the Regulations and Frameworks which you require for the appropriate platform. You can select individual standards or select a platform name to select all standards for the particular platform. 3 In the Summary panel, review the installation details and click Install. 4 The Install panel indicates the progress of the component installation. After the installation finishes, the Result panel appears. 5 In the Result panel, review the installation result and click Finish.

Installing Security Content Update Installing the Security Content Updates manually 17 Installing the Security Content Updates manually You can also install the SCU manually on computers hosting the CCS components. The SCU web package is used to update the following components: CCS Application Server CCS Manager Target computers for agent less data collection To update target computers for agent-based data collection, you must install the respective CCS.tpk packages on the target computers separately. The CCS.tpk packages can be found in the AgentContent folder on the Application Server after the SCU installation. Note: To update message based content on the target computers use the ESM.tpk. Refer to the ESM Security Update User Guide. For more information about Agent Content Update job, refer to the Symantec Control Compliance Suite 11.1 User Guide. To install the Security Content Updates manually 1 Download the CCS_12_x_<version number>_scu_win.exe located on the Symantec Security Response site to a known location. 2 Double-click CCS_12_x_<version number>_scu_win.exe to extract the following files: CCS_12_x_APSCCSM_<version number>_scu_win.exe Execute CCS_12_x_APSCCSM_<version number>_scu_win.exe to apply SCU on the Application Server and the CCS Manager. CCS_12_x_CCSM_<version number>_scu_win.exe Execute CCS_12_x_CCSM_<version number>_scu_win.exe to apply SCU only on the CCS Manager. 3 In the Welcome panel click Next. 4 View the upgrade information in the Upgrade panel and click Next. 5 Select the components to be installed in the Add Components panel and click Next. 6 In the Licensing panel, review the existing licenses or click Add Licenses to add licenses for the components that require mandatory licenses to install. Click Next. 7 In the Installation Folder panel, review the installation path for product installation. Click Next. 8 In the Summary panel, review the installation details and click Install. 9 In the Finish panel, click Finish after the installation is complete.

Installing Security Content Update Upgrading content on Agent-based target computers 18 Note: Installation of the SCU 2015-1 or later is not supported on Windows 2003 Server. Upgrading content on Agent-based target computers You can update the CCS Agent content by using the CCS.tpk manually or use the Agent Content Update job. See Running the Agent Content Update job To update the CCS Agent content using Agent Content Update job 1 Launch the Agent Content Update wizard in one of the following ways: In the Jobs workspace of the CCS console, click the + icon in the upper-right corner, and then click Agent Content Update. Hover over the Asset System menu, click Agents, and then in the Agents workspace, do one of the following: In the Agent List pane, select the agent that you want to upgrade, right-click the agent, and then click Agent Content Update. Click the + icon in the upper-right corner to select Agent Content Update. Note: You cannot select Windows and UNIX agents for the same job; however, you can select AIX, HP-UX, or Solaris agents, which are different flavors of UNIX for the same job. Hover over the Admin menu, click LiveUpdate, and then in the LiveUpdate workspace, from the Common Tasks list, click Agent Content Update 2 In the Create or Edit Remote Agent Content Upgrade Job wizard, do the following: In the Specify Job Name and Description panel, do the following: Enter the name for the Agent Content Update job. Enter the description for the Agent Content Update job. In the Select Platform/Server and Type panel, do the following: Select a platform or a server. Expand the platform or server and select its type. In the Select Agents panel, select the agents or agent folders whose content you want to remotely upgrade. In the Schedule panel, do one of the following:

Installing Security Content Update Upgrading content on Agent-based target computers 19 Check Run now to run the job immediately. Check Run Periodically to run the job on a specified interval. In the Specify Notification Details panel, select Send notification and type the information for sending the notification, and click Next. In the Summary panel, review all the selections that you made and click Finish. Note: If an Agent Content Update job is already running and you execute another Agent Content Update job that has a common agent scope with the job that is already in the running state, the second job filters the common agents and runs on the remainder agents. A warning message about the filtered agents is displayed in the Message tab. For example, you create and run job 1 that has agents 1, 2, 3 and you create another job that has agents 3, 4, 5. Since agent 3 is common to both the jobs, in the second job agent 3 is filtered out and the job is run on the remaining agents. To update the CCS Agent content manually 1 Navigate to the AppServer > AgentContent folder. After installing the SCU web package, the AgentContent folder contains all the CCS.tpk files for CCS 12.x agents. 2 Copy the relevant.tpk file to the agent computer. For example: Windows computer Microsoft SQL computers UNIX win-x86\12.x_ccs.tpk 12.x_ccsmssql.tpi UNIX\Linux\intel\ccs.tpk UNIX\Linux\intel\12.x_ccs.tpk Oracle 12.x_ccsoracle.tpi 3 Double-click the relevant tpk file and provide the required inputs. Under the agent content version the raw-data content version is updated.

Chapter 3 Configuring Security Content Update Components This chapter includes the following topics: Data collection support for Sybase databases installed on UNIX (RHEL-Intel and Solaris-Intel) platforms (SCU 2018-2) Data collection support for Db2 databases (SCU 2018-1) Data collection support for MariaDB databases (SCU 2018-1) Domain cache file password reset tool (SCU 2018-1) Data collection support for Windows CIS standards without domain cache dependency (SCU 2018-1) Data collection support for Amazon MySQL RDS instances (SCU 2018-1) Data collection support for MySQL database installed on Windows and UNIX (Linux-Intel) platforms (SCU 2017-3) Oracle credential management in agent-based data collection (SCU 2017-3) Command-based data collection support for UNIX platform Automated MS SQL password management in agent-based data collection Data collection support for Generic Devices Script-based custom checks Agent-based Data collection support for File Watch entity for Windows and UNIX platforms

Data collection support for Sybase databases installed on UNIX (RHEL-Intel and Solaris-Intel) platforms (SCU 2018-2) 21 Data collection support for agent-based Oracle assets Data collection support for MS SQL cluster assets Cisco network device router data collection Upgrading VMware data collection Upgrading CCS assets for Apache Tomcat Standard Creating firewall rules to enable remote querying of Windows Updates Upgrading Oracle Instant Client to 12.1 Data collection support for Sybase databases installed on UNIX (RHEL-Intel and Solaris-Intel) platforms (SCU 2018-2) Raw-data collection support for Sybase database that is installed on a RHEL-Intel or Solaris-Intel asset is available in Control Compliance Suite from SCU 2018-2 onwards. This support is available both for agent-based and agentless methods of data collection. By using this feature, you can assess the security configuration compliance posture of the Sybase database servers in your environment. This topic includes the following sections: Prerequisites for data collection support for Sybase database Workflow for data collection for Sybase databases Entities that support data collection for Sybase databases Prerequisites for data collection support for Sybase database The following are the prerequisites for the data collection support for Sybase database: Control Compliance Suite 12.0.1 Control Compliance Suite 12.0.1 APU on RHEL x86 and 64 platforms APU Quick Fix (QF) 10120 This Quick fix provides the infrastructure updates for the data collection support for Sybase database on Solaris-Intel platform. You can download the installation package for the QF from the following location: http://www.symantec.com/docs/tech251636 The Sybase Server user that is used for data collection must be assigned SA and SSO role

Data collection support for Sybase databases installed on UNIX (RHEL-Intel and Solaris-Intel) platforms (SCU 2018-2) 22 Workflow for data collection for Sybase databases The workflow for data collection support for Sybase Server instance running on UNIX (RHEL-Intel and Solaris-Intel) computers is similar to the Workflow for data collection for MySQL databases, and involves the following steps: 1. Adding Sybase assets to Control Compliance Suite asset system The new Asset type Unix Sybase Servers is added tocontrol Compliance Suite SCU 2018-2 onwards. The following table contains the list of some of the Sybase Server asset properties. Sybase Server Asset Property Name Machine Name IP Address Sybase Server Port Number Sybase Server Name Sybase Server Version Sybase Server Home Host Operating System Host Operating System Version SSH Port Number SSH Version Description This is the name of the Sybase Server asset. This is the IP Address of the Sybase Server asset. This is the Port Number which can be used to communicate with the Sybase Server. This is the name of the Sybase Server. This is the version of the Sybase Server. For example 15.7.0 and 16.0. This is the Sybase Server Home directory This is the name of the operating system. For example, RHEL This the version of the Host Operating System. For example, 15.7 is the version of the RHEL Operating System. This is the default port number for SSH connections. This is the SSH version supported by the SSH version. 2. Configuring asset credentials or common credentials for UNIX assets 3. Importing Sybase database assets Asset import is performed using Unix assets for both, agent-based and agent less data collection.

Data collection support for Sybase databases installed on UNIX (RHEL-Intel and Solaris-Intel) platforms (SCU 2018-2) 23 Note: On Solaris-Intel if the non-root data collection user for Unix assets is not the process owner, the Sybase Server name property in the argument cannot be identified as the process arguments are truncated. As a result the Sybase Server cannot be imported. To import assets for Solaris-Intel, you must grant process owner privileges to a non-root user so that the process arguments are not truncated and the data source is able to identify the Sybase Server name. Each Sybase Server instance is created as an asset in Control Compliance Suite. You must select Unix Sybase Servers as the asset type for the Asset Import job. Note: These asset types are for raw data collection support. If you are using the Sybase message-based data collection, you must use the Sybase Servers asset type in the Asset Import job. 4. Configuring asset credentials or common credentials for Sybase database assets After you add Sybase Server assets to the Control Compliance Suite asset system, you must provide the asset credentials to Control Compliance Suite. These credentials are required for Control Compliance Suite to connect to the assets for which you want to collect data. A new credential type is added for Sybase Platform SCU 2018-2 onwards. When you add credentials, you must select the Sybase platform. The asset credentials should be configured for the Unix Sybase Server asset type. 5. Running predefined or custom standard against Sybase database assets You can run the following platform-specific predefined standards against the respective Sybase database assets: Host OS platform UNIX Predefined standard Security Essentials for Sybase ASE 15.7 Security Essentials for Sybase ASE 16.x Note: To view these standard,s on the CCS console, click Standards And Policies > Technical Standards > Predefined > Sybase > Unix. Alternatively, you can create a custom standard based on the predefined standard. The procedure to create a check for a custom standard for Sybase databases is similar to the procedure to create a check for a custom standard for MySQL. See Creating a check for custom standard for MySQL on page 48.

Data collection support for Sybase databases installed on UNIX (RHEL-Intel and Solaris-Intel) platforms (SCU 2018-2) 24 Note: If you are using a command based check for Sybase data collection, you must mention 'go' in the Command Details field. 6. Viewing Data Collection details After data collection is completed, you can view the data collection results for the job that you run in step 5. The following output formats are supported for Sybase stored procedures in data collection. SP_Returns_Rows - Here, when a stored procedure in the query is executed, it returns the output as rows. SP_Returns_Stanza - Here, when a stored procedure in the query is executed, it returns the output as a stanza. Select_Query - Here, the select executed in a query returns the output as rows. The following table provides information about the columns that are used to display the data collection details based on the output format selected. Output Format SP_Returns_Rows SP_Returns_Stanza Select_Query Output Columns The stored procedure output is returned in SQL Output Columns 1-5. For example, If the output is returned in 3 columns, the results are pasted in SQL Output Column 1, SQL Output Column 2, and SQL Output Column 3. The stored procedure output is returned in SQL Output Column as a stanza. The output of the Select executed in the query is returned in SQL Output Columns 1-5. For example, If the output is returned in 2 columns, the results are pasted in SQL Output Column 1 and SQL Output Column 2. Note: You can use one of the output formats at a time. Combining the output formats is not supported in SCU 2018-2. 7. Viewing evaluation results Note: If you want to evaluate the results based on database specific paramaters, it is recommended to use a cursor. 8. Running metrics computing and data synchronization jobs 9. Viewing reports

Data collection support for Db2 databases (SCU 2018-1) 25 10. Viewing dynamic dashboards See Workflow for data collection for MySQL databases on page 43. See Troubleshooting data collection for Sybase Server on page 144. See Prerequisites for data collection support for Sybase database on page 21. See Blacklisting commands for data collection on Sybase, MySQL, MariaDB, and Db2 databases (Updated in SCU 2018-2) on page 52. Entities that support data collection for Sybase databases The following entities in Control Compliance Suite support data collection for Sybase databases running on UNIX computers: UNIX SQL Executor This entity enables you to execute SQL queries that collect data from Sybase databases running on a UNIX computer. isql utility This utility is used by SQL Executor to run Sybase SQL commands/queries and communicate with Sybase server. The supported fields for Sybase data collection on RHEL-Intel and Solaris-Intel platforms are same as the supported fields for MySQL data collection on Linux-Intel platforms. See Supported fields for MySQL data collection on Windows and Linux-Intel platforms on page 51. Data collection support for Db2 databases (SCU 2018-1) Data collection support for Db2 databases installed on a Windows or a Linux-Intel computer is available in Control Compliance Suite from SCU 2018-1 onwards. This support is available both for agent-based and agentless methods of data collection. By using this feature, you can assess the security configuration compliance posture of Db2 database instances in your environment. Currently, Db2 10.x databases are supported in Control Compliance Suite. This topic includes the following sections: Prerequisites for data collection support for Db2 databases Workflow for data collection for DB2 databases Entities that support data collection for DB2 databases

Data collection support for Db2 databases (SCU 2018-1) 26 Blacklisting commands for data collection on Sybase, MySQL, MariaDB, and Db2 databases (Updated in SCU 2018-2) Prerequisites for data collection support for Db2 databases The following are the prerequisites for the data collection support for Db2 databases: Control Compliance Suite 12.0.1 Security Content Update (SCU) 2018-1 QF 10111 This Quick fix provides the infrastructure updates for Db2 commands blacklisting. You can download the installation package for the QF from the following location: http://www.symantec.com/docs/tech250370 IBM Data Server Driver Package (32 bit package for Windows) You must install the IBM Data Server Driver Package (32 bit for Windows) on CCS Manager computer. You must add the path variables for Db2 database client, and then restart the Symantec Data Processing Service. This is a prerequisite for agentless data collection support for Db2 database installed on a Windows computer. You can download the package from the IBM product support website. See Workflow for data collection for DB2 databases on page 26. Workflow for data collection for DB2 databases The workflow for data collection support for DB2 database instances running on Windows and UNIX (Linux-Intel) computers is similar to the Workflow for data collection for MySQL databases, and involves the following steps: 1. Adding Windows and UNIX assets to Control Compliance Suite asset system 2. Configuring asset credentials or common credentials for Windows and UNIX assets DB2 users being OS users, currently it is not possible to use common credentials for DB2 windows assets and DB2 Unix assets simultaneously. In order to configure common credentials for DB2 windows assets and DB2 Unix assets separately, it is recommended to create separate folders for DB2 windows assets and DB2 Unix assets and move the respective assets to the folders. You can then add credentials at asset folder level which will further be applied to the assets in that folder. 3. Importing DB2 database assets Each DB2 database on an instance is created as an asset in Control Compliance Suite. Depending on whether you want to import DB2 databases installed on Windows computers or UNIX computers, you must select DB2 Databases on Windows or DB2 Databases on UNIX as the asset type for the Asset Import job.

Data collection support for Db2 databases (SCU 2018-1) 27 You can import DB2 database instances running on UNIX computers both in the context of root and nonroot users. However, we recommend importing them in the context of root user. If you import DB2 instances in the context of nonroot user, you must configure the nonroot user with sudo privileges (in the etc/sudoers file). For ease of execution of sudo commands, you must configure the DB2 commands with a NOPASSWORD tag in the sudoers file. 4. Configuring asset credentials or common credentials for DB2 database assets 5. Running predefined or custom standard against DB2 database assets You can run the following platform-specific predefined standards against the respective DB2 database assets: Host OS platform UNIX Windows Predefined standard CIS Benchmark for IBM DB2 10.x v1.1.0 for UNIX Note: To view this standard, on the CCS console, click Standards And Policies > Technical Standards > Predefined > DB2 > Unix. CIS Benchmark for IBM DB2 10.x v1.1.0 for Windows Note: To view this standard, on the CCS console, click Standards And Policies > Technical Standards > Predefined > DB2 > Windows folder of the DB2 container in the in the Technical Standards workspace. Alternatively, you can create a custom standard based on the predefined standard. The procedure to create a check for a custom standard for DB2 databases is similar to the procedure to create a check for a custom standard for MySQL. 6. If you enable the sudo option by configuring the SupportsSudo parameter in the bvagentlessconfig.ini file on the CCS Manager computer on which Symantec Data Processing Service is running, you must configure the DB2 data collection user with sudo privileges (in the etc/sudoers file) on the UNIX target computer. For ease of execution of sudo commands, you must configure the DB2 commands with a NOPASSWORD tag in the sudoers file. See Configuring the SupportsSudo parameter in the bvagentlessconfig.ini file 7. Viewing evaluation results 8. Running metrics computing and data synchronization jobs 9. Viewing reports 10. Viewing dynamic dashboards See Workflow for data collection for MySQL databases on page 43. See Prerequisites for data collection support for Db2 databases on page 26.

Data collection support for MariaDB databases (SCU 2018-1) 28 See Blacklisting commands for data collection on Sybase, MySQL, MariaDB, and Db2 databases (Updated in SCU 2018-2) on page 52. Entities that support data collection for DB2 databases The following entities incontrol Compliance Suite support data collection for DB2 databases running on Windows and UNIX computers: Windows SQL Executor This entity enables you to execute SQL queries that collect data from DB2 databases running on a Windows computer. UNIX SQL Executor This entity enables you to execute SQL queries that collect data from DB2 databases running on a UNIX computer. The supported fields for DB2 data collection on Windows and Linux-Intel platforms are same as the supported fields for MySQL data collection on Windows and Linux-Intel platforms. See Supported fields for MySQL data collection on Windows and Linux-Intel platforms on page 51. Data collection support for MariaDB databases (SCU 2018-1) Data collection support for MariaDB databases installed on a Windows or a Linux-Intel computer is available in Control Compliance Suite from SCU 2018-1 onwards. This support is available both for agent-based and agentless methods of data collection. By using this feature, you can assess the security configuration compliance posture of MariaDB database instances in your environment. Currently, MariaDB 10.2.x databases are supported in Control Compliance Suite. This topic includes the following sections: Prerequisites for data collection support for MariaDB database servers Workflow for data collection for MariaDB database servers Entities that support data collection for MariaDB database instances Blacklisting commands for data collection on Sybase, MySQL, MariaDB, and Db2 databases (Updated in SCU 2018-2)

Data collection support for MariaDB databases (SCU 2018-1) 29 Prerequisites for data collection support for MariaDB database servers The following are the prerequisites for the data collection support for MariaDB databases: Control Compliance Suite 12.0.1 Security Content Update (SCU) 2018-1 QF 10111 This Quick fix provides the infrastructure updates for MariaDB commands blacklisting. You can download the installation package for the QF from the following location: http://www.symantec.com/docs/tech250370 MariaDB database client on the computer on which DPS is running You must make sure that MariaDB database client are present on the computer on which Symantec Data Processing Service (DPS) is running. You must add the path variables for MariaDB database client, and then restart the Symantec DPS. This is a prerequisite for agentless data collection support. Access privileges to connect from DPS host to MariaDB server host The user account that you configure for connection and data collection on MariaDB database instances must have access privileges to connect from the DPS host to MariaDB server host. See Workflow for data collection for MariaDB database servers on page 29. Workflow for data collection for MariaDB database servers The workflow for data collection support for MariaDB databases running on Windows and UNIX (Linux-Intel) computers is similar to the Workflow for data collection for MySQL databases, and involves the following steps: 1. Adding Windows and UNIX assets to Control Compliance Suite asset system 2. Configuring asset credentials or common credentials for Windows and UNIX assets 3. Importing MariaDB database assets Each MariaDB database server is created as an asset in Control Compliance Suite. Depending on whether you want to import MariaDB databases installed on Windows computers or UNIX computers, you must select Windows MariaDB Servers or Unix MariaDB Servers as the asset type for the Asset Import job.

Data collection support for MariaDB databases (SCU 2018-1) 30 Note: Consider a scenario where you install SCU 2018-1 on a CCS Manager computer, and the agent has the SCU 2017-3 content. Here, during asset import, if you select Windows MySQL Servers or UNIX MySQL Servers (depending on the host operating system) as the target types, MariaDB assets in your network are also imported to the CCS asset system. If you want to continue using the SCU 2017-3 content on the agent, you must manually delete the MariaDB assets that are imported with the MySQL assets. If you upgrade agent content to SCU 2018-1, MariaDB assets are not imported with the MySQL assets. 4. Configuring asset credentials or common credentials for MariaDB database assets 5. Running predefined or custom standard against MariaDB database assets You can run the following platform-specific predefined standards against the respective MariaDB database assets: Host OS platform Windows UNIX Predefined standard Security Essentials for MariaDB 10.2.x for Windows Security Essentials for MariaDB 10.2.x for UNIX Alternatively, you can create a custom standard based on the predefined standard. The procedure to create a check for a custom standard for MariaDB database servers is similar to the procedure to create a check for a custom standard for MySQL. See Creating a check for custom standard for MySQL on page 48. 6. Viewing evaluation results 7. Running metrics computing and data synchronization jobs 8. Viewing reports 9. Viewing dynamic dashboards See Workflow for data collection for MySQL databases on page 43. See Prerequisites for data collection support for MariaDB database servers on page 29. See Blacklisting commands for data collection on Sybase, MySQL, MariaDB, and Db2 databases (Updated in SCU 2018-2) on page 52. Entities that support data collection for MariaDB database instances The following entities in Control Compliance Suite support data collection for MariaDB database instances running on Windows and UNIX computers: Windows SQL Executor

Domain cache file password reset tool (SCU 2018-1) 31 This entity enables you to execute SQL queries that collect data from MariaDB database instances running on a Windows computer. UNIX SQL Executor This entity enables you to execute SQL queries that collect data from MariaDB database instances running on a UNIX computer. The supported fields for MariaDB data collection on Windows and Linux-Intel platforms are same as the supported fields for MySQL data collection on Windows and Linux-Intel platforms. See Supported fields for MySQL data collection on Windows and Linux-Intel platforms on page 51. Domain cache file password reset tool (SCU 2018-1) When a data collection job is executed for a Windows standard, domain cache is created on a CCS Manager computer for all the involved domains. Cache is created and stored in a Microsoft Access database file (an MDB file). This MDB file is password-protected for security reasons. Till SCU 2017-3, the password of an MDB file was hardcoded, and hence, you could not change it. SCU 2018-1 provides you a tool to reset the domain cache file password as per your security guidelines. CCS Manager in the Data Collector role needs this password to open and access the domain cache file. The minimum permissible character limit for a password that you reset is 8. One CCS Manager may be responsible for collecting data from more than one domain. In such cases, cache for each involved domain is created in a separate MDB file. However, a common password is set for all the MDB files on the CCS Manager computer. The domain cache file password reset tool is available both for agentless and agent-based data collection. After you install SCU 2018-1 on your CCS Manager computer, the domain cache file password reset tool is available at the following location: <CCS installation directory>\symantec\ccs\reporting and Analytics\DPS Run the tool, and follow the instructions in the tool to reset the domain cache file password. When you use the tool for the first time, you must directly provide the new password for the domain cache file, because the password in use is hardcoded. Subsequently, to reset the password, you must provide the old password and the new password to the tool. Each time you reset the domain cache file password, the new password is stored in encrypted format in the CacheCred.dat file on your CCS Manager computer. The domain cache file and the CacheCred.dat file are synchronized with the agent and used in data collection from cache-dependent entities in Control Compliance Suite.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback